[
https://issues.apache.org/jira/browse/SHIRO-115?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Les Hazlewood updated SHIRO-115:
--------------------------------
Affects Version/s: (was: 1.0)
0.9
> ActiveDirectoryRealm might by vulnerable to LDAP search code injection
> ----------------------------------------------------------------------
>
> Key: SHIRO-115
> URL: https://issues.apache.org/jira/browse/SHIRO-115
> Project: Shiro
> Issue Type: Bug
> Components: Authentication (log-in)
> Affects Versions: 0.9
> Reporter: Reiner Saddey
> Assignee: Les Hazlewood
> Priority: Minor
> Fix For: 1.0
>
>
> When searching for a userName within getRoleNamesForUser, the search filter
> is built by inserting the literal value from userName. Two potential problems
> might arise: userName might contain (deliberately crafted) LDAP syntax
> elements that could be used to affect the search. Permissible user principal
> names within AD (e.g. "A(1") might be rejected due to syntax problems (even
> some Microsoft software packages appear to be quick-and-dirty here - see note
> at bottom of http://technet.microsoft.com/en-us/library/cc730634(WS.10).aspx)
> .
> This potential vulnerability can easily be fixed by using search parameters
> instead of literals (which should be considered good style anyway). The
> actual chance for an exploit appears to be very remote, but hackers are so
> creative :-)
> // vulnerable to injection String searchFilter =
> "(&(objectClass=*)(userPrincipalName=" + userPrincipalName + "))";
> // vulnerable to injection NamingEnumeration answer =
> ldapContext.search(searchBase, searchFilter, searchCtls);
> String searchFilter = "(&(objectClass=*)(userPrincipalName={0}))";
> Object[] searchArguments = new Object[] {userPrincipalName};
> NamingEnumeration answer = ldapContext.search(searchBase,
> searchFilter, searchArguments, searchCtls);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
